NetScaler 培训教学内容.ppt

CitrixNetScalerApplicationFirewall培训 Agenda CitrixWAF简述顺网拓扑架构简介业务上线流程ApplicationFirewall技术概述 网页应用程序防火墙 NetworkFirewall IDSIPS DatabaseServersCustomerInfoBusinessDataTransactionInfo 私密资料 客制化网页程序客制化套装应用程序自行开发或第三方程式 特征码 HTTP HTTPS 我看得懂文档 WAF 我看不懂不让你过 正常访问 我看不懂放行 依据网页程序内容逻辑 制定合法规则 检测进出联机内容 正向防护白名单 预设行为 阻挡符合规则 放行效益 防范已知 未知攻击防护产品 网络防火墙网页应用程序防火墙其他 不易误判 除非设定错误 需时间学习 设定 反向防护黑名单 预设行为 放行符合特征 阻挡效益 防范已知攻击防护产品 防病毒软件 防毒墙入侵侦没系统 IPS 其他 容易误判容易绕过 防护逻辑 WAFvsIPSvsNetworkFirewall WAF运作机制 双向保护 用户请求 服务器回应 Internet Intranet WAF 请求检查 输入正确性检测 安全转发 ProtectedAP 用户请求 安全转发 服务器回应 内容响应防护处理 NetScaler网页应用防火墙采用混合安全模型 正面表列自我学习应用程序 负面表列特征码侦测 Negative Positive Hybrid 混合模型防护已知和未知的安全威胁 DDos SSL VPN SSL WAF XMLFW AAA SSO Reporting NetScalerMPXandVPX CitrixNetScaler融合多种应用安全 Internet WebAppUsers 允许合法流量通过响应内容检测 应用程序攻击阻挡 防御Zeroday攻击双向检测 进阶式攻击防御SSL加密联机支持ICSA CommonCriteria认证 Agenda CitrixWAF简述顺网拓扑架构及Netscaler架构概述业务上线流程ApplicationFirewall技术概述 现网拓扑 NetScalerArchitectureOverview NetScaler ownedIPAddresses TheNetScalersystemusesdifferenttypesofIPaddressesformanagementandproxyingconnectionstotheserverTheseIPaddressesare NetScalerIP NSIP addressesSubnetIP SNIP addressesVirtualIP VIP addresses NetScalerIPAddress TheNetScalerIPaddress NSIP istheprimaryaddressformanagementandgeneralsystemaccessThedefaultIPaddressandnetmaskis192 168 100 1 16 255 255 0 0 修改该IP地址 设备需要重启 SubnetIPAddress ThesubnetIP SNIP addressisusedinconnectionmanagementandservermonitoringASNIPaddressprovidestheNetScalersystemwithanAddressResolutionProtocol ARP presenceinsubnetstowhichthesystemmaynotbedirectlyconnectedANetScalersystemshouldhaveaSNIPaddressconfiguredforeverydirectlyconnectedsubnet VirtualIPAddress VIPaddressesareusedforclient to NetScaler systemcommunicationWhentheVIPaddressisapublicIPaddress itusuallycorrespondstotheDNSentryforadomainAVIPaddressisautomaticallycreatedwhenavirtualserverisadded EntityManagement HighAvailabilityFunctionality 上线后全网配置调整 NS上对外发布一个VIP F5的VIP作为NSVIP的Service 防火墙将原先的到F5VS的映射改为到NSVS的映射 由于服务器端需要看到客户端的真实IP地址 现在的架构是在F5上通过插入一个HTTPX Forwarded For报头 报头里面记录了客户端IP地址 服务器端解这个报头来获得客户端真实IP NS部署后 添加这个报头的工作由NS完成 即将F5上配置的这个功能取消 将这个功能在NS上配置 在NS上配置的报头名称不变 这样后台服务器就不需要做任何修改 HardwareComponents HardwarecomponentsoftheNetScalersysteminclude NetworkinterfacesLCDSerialinterfaceFilesystemRAMdrive Flashmemory flash Harddisk var HardwareComponents NetScalerArchitectureOverview Agenda CitrixWAF简述顺网拓扑架构及Netscaler架构概述业务上线流程ApplicationFirewall技术概述 操作流程 通过GUI方式登录设备进行配置 客户端需要JRE环境 NSIP SNIP都可以对设备进行配置管理通过SSH登录设备进行命令行下查看配置等操作 上线流程 创建Service F5VS地址 创建对外发布的VS地址并关联相应Service创建WAFPolicy将WAFPolicy与相对应的VS关联 Agenda CitrixWAF简述顺网拓扑架构及Netscaler架构概述业务上线流程ApplicationFirewall技术概述 WAF技术介绍 INTERNAL DataFlowProcess NetScaler WebApplications Database 1 ClientRequest EXTERNAL 2 RequestInspections 3 ClientR 4 ServerR 5 ResponseInspections 6 ServerResponse StartURLsXSSSQLInjectionFieldConsistencyBufferOverflow CreditCardsSAFEObject FullADCIntegration ProfilesEnableBasicorAdvanceddefaultsConsistsofSecuritySettingsPoliciesDirectstraffictoprofilesMatchesonrequestorresponseparametersPolicy创建后 即可以设置为全局生效 即所以流量都通过该policy进行检查 或者关联到一个VS上单独生效 CustomizableProfilesandPolicy CompleteWebAppProtectionwithLearning PositiveSecurity ApplicationFirewall Advancedprofile Whenconfigureapplicationfirewall appfw 1stthingtodoiscreateaprofile AndthereisBasicandAdvancedprofile whatisthedifference Withadvancedprofile sessionization orsessiontrackingwillbeenabled Thesecuritychecksrequiredsessionizationare URLClosureCookieConsistencyFormFieldConsistency ApplicationFirewall sessionization Whatissessionization ItmeansAppfwhastotrackallrequestsandresponsesfromaclientaslongasthebrowserremainsopenwithinthesessiontimeoutperiod thatistrackeachsession Thesessionismarkedbysessioncookie thedefaultcookienameiscitrix ns idDefaultsessiontimeoutis900seconds 15minutes AppFw whysessionizationisneeded Example1 bufferoverflowprotection Asanexample assumetheAppfwisconfiguredwithbufferoverflowsuchthatmaximumallowedURLlengthis10characters Appfwdoesnotneedtocarewhosendstherequest aslongastheURLislongerthan10characters itwillblockit AppFw whysessionizationisneeded Example2 URLClosure Asanexample assumetheAppfwisconfiguredwithstartURLandURLClosureprotection thestartURLallowedishome1 htm UserA Inthisexample wecanobservethatfeaturelikeURLClosurerequiredtheAppfwto record somesortofactivitiesforeachuser sessioninordertodeterminetoalloworblocktherequest Intheotherwords thesession shistoryisafactortodetermineallow block Appfw sessionization Wehavetopaythepriceforsessionization thatisMemory Sinceweneedtostoreinformationforeachsession morememoryisrequiredThereissomethinginterestinghere exceptfromthenumberofuser therearesomeotherfactorsthataffecthowmuchmemoryisrequired Appfw URLClosureexample Webpage1 Webpage2 ForURLClosure whichoftheabovepagewillconsumemorememorywhenauseraccessthepageasstartURL Appfw Memoryusage Ofcourse webpage2 willtakesmorememorybecauseithasmuchmorehyperlink whenappfwstoresinformationonwhichlinktheusercanaccess itneedstostoremoreinformationURLClosure Morehyperlink morememoryisrequiredFormFieldConsistency Moreform largerform morememoryisrequired UsuallymostmemoryconsumingisURLClosurebecausewebpagewithalotoflinksarecommonbutwebpagewithalotofformsislesscommon EasyDeploymentModeProtectsagainstSQLInjectionCrossSiteScriptingCrosssiteRequestForgery Referrerheader ForcefulBrowsing Start DenyURLs BufferOverflowFormFieldFormattingNosessionizationrequiredLearningaideddeployment BasicDefaults PositiveSecurityModel SQLInjectionattacks Howthismightbedone UserentersdataintoaformonawebpageTheapplicationsendsthisaspartofanSQLquerytothebackenddatabase ItemNumber ItemLookup EnterDesiredItemNumber SUBMIT 1234 or 1 1 Cross siteScripting XSS Attacks Attackingtrustrelationships CrossSiteRequestForgeryAttacks Protectionactions VerifyReferrerheadersTageachformwithuniquetokenandverifyonformsubmission Attackingtrustrelationships CSRF ReferrerHeaderProtection X ForcefulBrowsing ForcefulBrowsingAttack ManipulatingrequestURLstogainaccesstocontentyouarenotentitledtosee Brute forcepenetrationoftheinfrastructure ParisHilton sSidekickhacked hackerNicolasJacobsenpledguiltytoasinglechargeofintentionallyaccessingaprotectedcomputerandrecklesslycausingdamage JacobsenwasarrestedbyUSauthoritieslastOctober buthadhadaccesstoT Mobile sserversformorethanayear HereportedlyamusedhimselfbyaccessingUSSecretServiceemail andraidingotherSidekickusers accounts Igothacked BufferOverflowProtection Hacker BufferOverflowAttack Application Platform OS GainapplicationPrivileges Gainplatformprivileges Gainrootserveraccess Preventhackersfromgainingunauthorizedsystemprivileges ApplicationFirewalllimitsinputparametersizesfor URLsHeadersCookies ApplicationServer Internet AdvancedDefaultsSessionbasedenablesadditionalprotectionsCookieFormFieldConsistencyURLClosureprotectionTagBasedCrossSiteRequestForgeryIncludesallbasicprotections Session basedProtectionwithAdvancedDefaults CookiePoisoningdefense Preventsidentitytheftandsessionhijacking Clientreturnscookietoserver Webserversendsclientcookie ApplicationFirewallverifiesthatcookieshavenotbeenmodifiedbyclient CookieAttackProtection EncryptCookies Encryptonlysessioncookies non persistent orallapplicationcookies AES 192encryption CookieAttackProtection ProxyCookies ReplaceallservercookieswithasingleAppFirewallsessioncookie CookieAttackProtection FlagCookies HTTPOnly MakecookieunavailabletoJavaScriptSecure CookiesubmittedonlyforHTTPSURLsAll BothattributesareaddedtotheSet Cookieheader CSRF FormTaggingProtection X CitrixConfidential DoNotDistribute HTMLFormFieldProtection Clientcompletesandreturnsform Applicationsendsformtoclient Protectapplicationsbyblockingmaliciousandillegalinputparameters ForeachusersessionAppFwensuresthat EachfieldisreturnedNofieldswereaddedbyclientRead onlyandhiddenfieldsareunalteredDataindrop downlistorradiobuttonfieldconformsMaxlengthofformfieldsisadheredto AdditionalSecurityMeasures ClicktoRuleApplicationFirewall ApplicationFirewallrelaxationrulescannowbedeployedfromthelogsThelogsmustbeinCEFlogformatConvenientoptiontorelaxaruleblockingalegitimaterequest LogusingCEF basedlogsMar1516 48 1410 90 196 150CEF 0 Citrix NetScaler NS10 0 APPFW APPFW STARTURL 6 src 10 90 33 39spt 52737method GETrequest http 10 90 196 152 msg DisallowIllegalURL cn1 69cn2 3999cs1 Application Firewall Profilecs2 PPE2cs3 edw9DRH XRTNya64AIYNZM1sgfUA020cs4 ALERTcs5 2012act blockedEasyintegrationwithnumerousvendorsthatsupportCEFformat CommonEventFormatLoggingSupport BusinessObjectProtectionModules FinancialTheftPrevention Preventtheinadvertentdisclosureofcustomerorcorporatedata ConfigurableProtections CreditCardNumbers Customer definedDataObjects Mastercard5168701720999598548710669503982253742473462950375229226821960783512077224560856554182441660268145214846392378060559321982241412253024957748417185141463445796112VISA4532804852500010432838048818612645327409122469234716318594729561491602234704926349296934539258794916392627322353448549592428390445322039361620554916164014266109 MastercardXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXVISAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Server Msg547 Level16 State1 Procedureerror demo sp Line2UPDATEstatementconflictedwithCOLUMNFOREIGNKEYconstraint fk7 acc cur Theconflictoccurredindatabase bos sommar table currencies column curcode The